Almost No Progress in Key Areas of Election System Security in Last Two Years

March 8, 2018

New York, N.Y. – By a number of key metrics, the country has failed to make significant progress securing voting machines, despite increasing warnings about system vulnerabilities from election officials and national security experts. An analysis released today by the Brennan Center for Justice at NYU School of Law comes amid concerns about the government’s response to attempts to interfere in U.S. democracy.

“The threats of both hacking and foreign interference are undeniable, yet we’re not doing all we can as a country to protect machines or ensure correct vote totals if a successful attack does occur,” said Lawrence Norden, deputy director of the Brennan Center’s Democracy Program. “While there has been important progress in securing our election infrastructure since 2016, when it comes to replacing outdated machines and mandating audits throughout the nation, we are failing. Casting a ballot and having it count as intended is the foundation of any democracy, and the time to fix these issues is now. States have been scrambling to do what they can, but Congress needs to support their efforts.”

The new analysis updates a 2015 Brennan Center report, America’s Voting Machines at Risk. While some federal agencies — and some states and counties around the country — have taken steps to secure infrastructure, Brennan Center researchers found two critical areas where the country has been remarkably slow to act:

We have not replaced voting machines most vulnerable to hacking: more than 40 states use ones that aren’t in production anymore.

States don’t mandate post-election audits that would allow us to detect and recover from successful cyberattacks against those machines. Only three require what is considered by experts to be the “gold standard” of auditing.

In the 2018 mid-term election, 43 states and Washington, D.C., will use voting machines that are no longer manufactured — the same number of states as in 2015. The age of the machines makes it difficult or impossible to find replacement parts, forcing some officials to turn to eBay.

This fall, 13 states will use paperless voting machines in some counties and towns. These older models are a security risk because they do not produce a paper record that can be used to verify vote totals in the event of a hack. Five states will be using these risky machines statewide. That’s just slightly down from 14 states that used paperless machines in 2016.

Paper records are of limited value against a cyberattack if they aren’t used to check the accuracy of the software-generated total, and to confirm that the results have not been manipulated. Only three states mandate post-election audits that provide a high-level of confidence in the accuracy of the final vote tally.

National security officials and election experts have called on Congress to act on legislation that would implement some of these security solutions. These bipartisan bills would help replace outdated machines and expand the number of machines with paper records. Debates that could decide if these measures get funded begin next week on Capitol Hill.

Would authorize $386 million in grants from the Department of Homeland Security to increase election system security and upgrade election infrastructure, including replacement of antiquated paperless touchscreen machines.

Would aid states that comply with security recommendations issued by the Election Assistance Commission (see below), including replacement of older voting equipment with systems that use a voter-verified paper record that will be audited to check electronic totals.

Would permanently designate state-run election systems as critical infrastructure and create a federal grant program to help states upgrade the physical, electronic, and administrative components of their voting systems.

Federal and State Actions to Secure Elections

Organizations like the Election Assistance Commission and the Belfer Center at Harvard University have offered cybersecurity trainings to hundreds of state and local election officials, while the Department of Homeland Security, the EAC, and state and local officials have established a coordinating council to allow them to share threat information and pool security resources.

In 2017, Virginia decertified the last of the paperless touchscreen machines being used in the state, deeming them too insecure for continued use. Michigan, Minnesota, and Nevada allocated money to replace old voting machines. Iowa and Rhode Island were among states that passed new post-election audit laws that require officials to check paper ballots against machine counts.

In the last year, Arkansas and North Dakota rejected proposals to fund new voting equipment. And in Wisconsin, the governor cut five new positions for the state’s election commission in the 2017-2019 budget. The commission has responded by telling the legislature it needs three new positions to counter rising cybersecurity risks. It is unclear how the legislature and Governor will respond.